Many Web sites embed third-party content in frames, relying on the browser's security policy to protect against malicious
content. However, frames provide insufficient isolation in browsers that let framed content navigate other frames. We evaluate
existing frame navigation policies and advocate a stricter policy, which we deploy in the open-source browsers. In addition
to preventing undesirable interactions, the browser's strict isolation policy also affects communication between cooperating
frames. We therefore analyze two techniques for interframe communication between isolated frames. The first method, fragment
identifier messaging, initially provides confidentiality without authentication, which we repair using concepts from a well-known
network protocol. The second method, postMessage, initially provides authentication, but we discover an attack that breaches
confidentiality. We propose improvements in the postMessage API to provide confidentiality; our proposal has been standardized
and adopted in browser implementations.